Types of searches

As you search, you will begin to recognize patterns and identify more information that can be useful as searchable fields. You can configure Splunk software to recognize these new fields as you index new data, or you can create new fields as you search. Whatever you learn, you can use, add, and edit this knowledge about fields, events, and transactions to your event data. This capturing of knowledge helps you to construct more efficient searches and build more detailed reports.

Before delving into the language and syntax of search, you should ask what you are trying to accomplish. Generally, after getting data into your Splunk deployment, you want to:

Investigate to learn more about the data you just indexed or to find the root cause of an issue.

Summarize your search results into a report, whether tabular or other visualization format.

Because of this, you might hear us refer to two types of searches: Raw event searches and transforming searches.

Raw event searches

Raw event searches are searches that just retrieve events from an index or indexes, and are typically used when you want to analyze a problem. Some examples of these searches include: checking error codes, correlating events, investigating security issues, and analyzing failures. These searches do not usually include search commands (except search, itself), and the results are typically a list of raw events.

Transforming searches

Transforming searches are searches that perform some type of statistical calculation against a set of results. These are searches where you first retrieve events from an index and then pass the events into one or more search commands. These searches will always require fields and at least one of a set of statistical commands. Some examples include: getting a daily count of error events, counting the number of times a specific user has logged in, or calculating the 95th percentile of field values.

Information density

Whether you are retrieving raw events or building a report, you should also consider whether you are running a search for sparse or dense information:

Sparse searches are searches that look for a single event or an event that occurs infrequently within a large set of data. You have probably heard these referred to as 'needle in a haystack' or "rare term" searches. Some examples of these searches include: searching for a specific and unique IP address or error code.

Dense searches are searches that scan through and report on many events. Some examples of these searches include: counting the number of errors that occurred or finding all events from a specific host.

Comments

Types of searches

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »